Permissions to block review of TOTP seeds for some Vault members
I would like to have an option in the security settings for Business accounts that allows me to specify some team members that cannot see the seed value/string behind the TOTP codes in a specific vault. I'm OK if they can scan a QR code or ADD a new seed value/string to an entry, but once it's saved, I'd like them to not be able to see/copy the actual seed value, though I do want them to be able to see the currently-generated TOTP 6-digit code, and I DO want them (I think? Maybe a separate permission?) to be able to overwrite the existing value with a new seed to set a new TOTP seed (with a history kept for admins), but then not be able to view more than the actual 6-digit code.
For reference, there was an IT Glue issue per https://www.linkedin.com/pulse/glue-totp-code-exposure-jason-slagle/ where IT Glue sent the entire TOTP seed to the web client for any user accessing a password with a TOTP-integrated code. This isn't great, and they fixed it, but it did make me think that it would be nice if 1Password could similarly make it difficult for some non-admin users to obtain the seed for TOTP purposes once set, and just be able to see the code.
I did check the permissions list and it doesn't appear to be a current option.
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Browser:_ Not Provided
Comments
-
Hi @dszp,
I'll be happy to pass on your request to our product team for consideration. Thanks for taking the time and for going into so much detail.
For now, you can uncheck the
Edit Items
permission for a team member or group within a vault to restrict them from editing the item and viewing or modifying the secret. Of course, this isn't ideal if you'd like them to make changes to other fields of items.ref: IDEA-I-2030
0